From fe335ea4a041b915c679a43496e328f01db6128b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 16 May 2023 06:19:03 +0000 Subject: [PATCH] import autotrace-0.31.1-55.el8 --- SOURCES/autotrace-0.31.1-CVE-2022-32323.patch | 44 +++++++++++++++++++ SPECS/autotrace.spec | 13 +++++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 SOURCES/autotrace-0.31.1-CVE-2022-32323.patch diff --git a/SOURCES/autotrace-0.31.1-CVE-2022-32323.patch b/SOURCES/autotrace-0.31.1-CVE-2022-32323.patch new file mode 100644 index 0000000..a13a352 --- /dev/null +++ b/SOURCES/autotrace-0.31.1-CVE-2022-32323.patch @@ -0,0 +1,44 @@ +--- autotrace-0.31.1.old/input-bmp.c 2022-09-05 14:41:15.694254375 +0530 ++++ autotrace-0.31.1/input-bmp.c 2022-09-08 17:11:28.131973020 +0530 +@@ -88,7 +88,7 @@ + at_address msg_data) + { + FILE *fd; +- unsigned char buffer[64]; ++ unsigned char buffer[128]; + int ColormapSize, rowbytes, Maps, Grey; + unsigned char ColorMap[256][3]; + at_bitmap_type image = at_bitmap_init(0, 0, 0, 1); +@@ -345,6 +345,10 @@ + *(temp++)= buffer[xpos * 4 + 1]; + *(temp++)= buffer[xpos * 4]; + } ++ ++ if (ypos == 0) ++ break; ++ + --ypos; /* next line */ + } + } +@@ -361,6 +365,10 @@ + *(temp++)= buffer[xpos * 3 + 1]; + *(temp++)= buffer[xpos * 3]; + } ++ ++ if (ypos == 0) ++ break; ++ + --ypos; /* next line */ + } + } +@@ -378,6 +386,10 @@ + *(temp++)= (unsigned char)(((rgb >> 5) & 0x1f) * 8); + *(temp++)= (unsigned char)(((rgb) & 0x1f) * 8); + } ++ ++ if (ypos == 0) ++ break; ++ + --ypos; /* next line */ + } + } diff --git a/SPECS/autotrace.spec b/SPECS/autotrace.spec index ecf7ae1..263566a 100644 --- a/SPECS/autotrace.spec +++ b/SPECS/autotrace.spec @@ -1,6 +1,6 @@ Name: autotrace Version: 0.31.1 -Release: 53%{?dist} +Release: 55%{?dist} Summary: Utility for converting bitmaps to vector graphics License: GPLv2+ and LGPLv2+ URL: http://autotrace.sourceforge.net/ @@ -15,6 +15,8 @@ Patch6: autotrace-0.31.1-pstoedit-detection-fix.patch Patch7: autotrace-0.31.1-CVE-2016-7392.patch Patch8: autotrace-0.31.1-CVE-2019-19004.patch Patch9: autotrace-0.31.1-CVE-2019-19005.patch +# Upstream patch +Patch10: autotrace-0.31.1-CVE-2022-32323.patch BuildRequires: libpng-devel > 2:1.2 BuildRequires: libexif-devel @@ -61,6 +63,7 @@ This package contains header files and development libraries for autotrace. %patch7 -p1 -b .CVE-2016-7392 %patch8 -p1 -b .CVE-2019-19004 %patch9 -p1 -b .CVE-2019-19005 +%patch10 -p1 -b .CVE-2022-32323 autoreconf -ivf %build @@ -100,6 +103,14 @@ find $RPM_BUILD_ROOT -type f -name "*.a" -exec rm -f {} ';' %changelog +* Tue Sep 13 2022 Parag Nemade - 0.31.1-55 +- Resolves: rhbz#2121827 Fix the gating tests by using only local test + Upstream testsuite will not work as this package code is very old + +* Mon Sep 12 2022 Parag Nemade - 0.31.1-54 +- Resolves: rhbz#2121827 + CVE-2022-32323 - heap-buffer overflow via the ReadImage() at input-bmp.c + * Fri Apr 30 2021 Parag Nemade - 0.31.1-53 - Resolves: CVE-2019-19004 : integer overflow in input-bmp.c - Resolves: CVE-2019-19005 : fix bitmap double free in main.c